Business and Enterprise Solutions

In Umbraco versions prior to 10.8.9 and prior to 13.7.1 a medium severity vulnerability CVE-2025-27602 was detected. This vulnerability allows authenticated backoffice users to retrieve or delete content and media from restricted folders by manipulating backoffice API URLs. To address this issue, users should upgrade Umbraco to versions 10.8.9 and 13.7.1. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-27602.

In Workreap plugin for WordPress versions up to and including 3.2.5 a critical severity vulnerability CVE-2024-13446 was detected. This vulnerability allows attackers to escalate privileges through account takeover by exploiting the plugin’s failure to properly validate a user’s identity before performing social auto-login or updating profile details, including password changes, enabling unauthenticated attackers to log in as any user by knowing their email address or change an arbitrary user’s password, including administrators, to gain unauthorized access. To address this issue, users should upgrade Workreap plugin to versions 3.2.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13446.

In WP Crowdfunding plugin for WordPress versions 2.1.13 and prior a medium severity vulnerability CVE-2025-1508 was detected. This vulnerability allows authenticated attackers with subscriber-level access and above to download all post content of a site when WooCommerce is installed, due to a missing capability check on the download_data action. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1508.

In SEO Tools plugin for WordPress versions 4.0.7 and prior a high severity vulnerability CVE-2024-13853 was detected. This vulnerability allows attackers to exploit a Reflected Cross-Site Scripting (XSS) flaw due to improper sanitization and escaping of a parameter, potentially targeting high-privilege users such as administrators. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13853.

In WP Login Control plugin for WordPress versions 2.0.0 and prior a high severity vulnerability CVE-2024-13836 was detected. This vulnerability allows attackers to exploit a Reflected Cross-Site Scripting (XSS) flaw due to improper sanitization and escaping of a parameter, potentially targeting high-privilege users such as administrators. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13836.

In XV Random Quotes plugin for WordPress versions 1.40 and prior a medium severity vulnerability CVE-2024-13580 was detected. This vulnerability allows attackers to exploit a Cross-Site Request Forgery (CSRF) flaw due to missing CSRF checks when updating plugin settings. This could enable an attacker to trick a logged-in admin into resetting the settings. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13580.

In ProductDyno plugin for WordPress versions 1.0.24 and prior a medium severity vulnerability CVE-2024-13413 was detected. This vulnerability allows attackers to exploit reflected Cross-Site Scripting (XSS) via the ‘res’ parameter due to insufficient input sanitization and output escaping, enabling unauthenticated attackers to inject arbitrary web scripts into pages that execute when a user is tricked into clicking on a link. To address this issue, users should upgrade ProductDyno plugin to version 1.0.25 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13413.

In Spreadsheet Integration plugin for WordPress versions 3.8.2 and prior a medium severity vulnerability CVE-2025-1463 was detected. This vulnerability allows attackers to publish arbitrary posts, including private ones, by exploiting improper nonce validation in the class-wpgsi-show.php script. To address this issue, users should upgrade Spreadsheet Integration plugin to versions 3.8.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1463.

In DesignThemes Core Features plugin for WordPress versions 4.7 and prior a high severity vulnerability CVE-2024-13471 was detected. This vulnerability allows unauthenticated attackers to read arbitrary files on the underlying operating system due to a missing capability check on the `dt_process_imported_file` function. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-13471.